While I've had a few emails with the attachment of this virus, I never got it (in fact, I've never had a virus), but many people I know have. However, it seems there might be more to this than what we know thus far, and here's why:

I'm not sure if this is the same virus, or a modified version, perhaps the original or just another version of it, but there's been cases of much more severe damage.

My wife went to a meeting in Sacramento about 3 weeks ago. At that meeting, her regional manager had informed all the managers at this meeting, to be careful, as he had a virus on his system that did some pretty severe damage to his system, and that it appeared that it emailed the virus in various attachments out to all the people in his email list of managers (myself included).

I don't recall getting the email, but some of the other manager's did get it and get infected as well. Some were running virus scanners that picked up and apparently cleaned up. However, what happened, it seems, (and this is before any reports of this virus I know of!), was that not only did it replicate itself and send itself, along with documents and whatnot, out to all these people, but after 30 days (I don't know if it's after 30 days from first getting it, or whatever the case was, but) it popped up a message on his system in large letters saying "Eat **** and die!" or something to that effect. His system has ceased to operate since that message and I believe massive damage was done to his file system -- or so was the same exact case reported to be true by him, as well as some of these other managers that got this virus.

This, to me, sounds like the same virus, or very similar. I'd be almost certain that this virus was checked and they know what this code is doing. So, I am wondering if this wasn't discovered yet, or was it? If not in this virus, is there (it would definitely seem there was!) another similar or other version of this virus that will do more damage within the 30th day or having it? Be careful, and you might want to back up your files, unless or until there's some information about this particular one (if it's the one everyone's getting -- maybe people are getting different versions?) is not that type, or if it's not that version -- because there's definitely one that is very much like this, that does far greater damage.. unless this one does itself and I just didn't read that much about it. However, I don't recall any mention of it, so watch out.

Hi Tim,

As it happens I picked up 2 copies of the virus in quick succession about 2 to 3 days before I saw anything in the virus NG's or antivirus sites...

Luckily I had extensions on "Don't hide" so I saw the double extension and deleted immediately...

As for the rest of the symptoms.. it sounds like SirCam to a tee. The payload is a 1 in 33 or something chance which just destroys a system. Nasty.

Good point about the extension Websnail. That got me to wondering how many people here know how to change that? I am uploading a file they can download that will do that. Just download & unzip, double click it, set it till it says "File visibility becoming 1".

1 = file extensions visible.
0 = file extensions not visible.

well, my DATS and my companies DATS update ever hour so nothing is ever getting though my systems unless NAI dont release the DATS quick enough, haha

Originally posted by xtstrike
well, my DATS and my companies DATS update ever hour so nothing is ever getting though my systems unless NAI dont release the DATS quick enough, haha

The problem of course is that someone must be first. NAI does not have a new DAT file until someone gets hit with the virus, they notify NAI and a new DAT is written and tested.

This is all well and good until you are that first person...

-t

I'm sure there's modified versions of SirCam out there in the wild already. Who know what their MO will be.

I just read an interesting thing that I didn't previously know. SirCam has its own built-in SMTP server, so when it sends out e-mail it doesn't go through your regular e-mail software, making it much more stealthy to the unsuspecting vicitms. (Read that tidbit at http://dailynews.yahoo.com/h/cn/20010727/tc/sircam_worm_built_to_last_1.html )

Is it known yet if this smtp system can pass firewalls?

Ie - if you have zonealarm or similar running on a home pc outgoing activity like that should be spotted and alerted?

Originally posted by Cyberpunk
Is it known yet if this smtp system can pass firewalls?

Ie - if you have zonealarm or similar running on a home pc outgoing activity like that should be spotted and alerted? From what I've read on a few virus NG's the firewall will block it... Certainly Zone Alarm will. In most cases that has been one of the things that has twigged people to the problem.

Well I never had a virus attack before but last night I got attack by W32.Sircam virus and infront of me it started to delete all the files, shortcuts etc from my desktop. (I though I was running out of memory and the icons were not refreshing)
The HD was spinning like hell, so I satrted to close a few porgrams. and then I decided to turn the PC off.

I restarted it and windows did not start up. I check the windows Dir and more than half od the files were deleted.

So I have been reinstalling my PC again.

Thats Bad Luck :angry:

Originally posted by WebSnail.net
From what I've read on a few virus NG's the firewall will block it... Certainly Zone Alarm will. In most cases that has been one of the things that has twigged people to the problem.

This is detection after the fact though, and does not prevent you from having your day ruined by the virus.

If you are catching outgoing SMTP traffic as a viral behavior, you've already been infected...

-t

Originally posted by eddie
Well I never had a virus attack before but last night I got attack by W32.Sircam virus and infront of me it started to delete all the files, shortcuts etc from my desktop. (I though I was running out of memory and the icons were not refreshing)
The HD was spinning like hell, so I satrted to close a few porgrams. and then I decided to turn the PC off.

I restarted it and windows did not start up. I check the windows Dir and more than half od the files were deleted.

So I have been reinstalling my PC again.

Thats Bad Luck :angry:

I'm sorry to hear you were hit.

I hope you have learned your lesson about opening attachments - as painful as this lesson was.

When I'm running Windoze, I save and scan all attachments that can possibly execute. If my virus software is out of date, or the virus is new - there is still a risk of being hit.

I often don't even open the attachment if I'm not certain of who sent it (ie I was expecting it) and what it is.

-t

Originally posted by thewitt


This is detection after the fact though, and does not prevent you from having your day ruined by the virus.

If you are catching outgoing SMTP traffic as a viral behavior, you've already been infected...

-t Yeah, sorry forgot to make that clear as I was only responding on the "smtp block" issue.

ZoneAlarm doesn't necessarily block the INCOMING virus... but it can stop your machine from sending out more copies to other users... UNLESS of course someone gets hold of it and modifies it to use the OE or other email clients to send the mail for them instead-of/as-well-as its inbuilt thing.

From a suppliers point of view that at least means you won't have you clients looking for you as a lynch mob because you sent it all to them as well... (About the only bright side I can think of sorry :( )